From owner-freebsd-security Tue Dec 24 14:36:20 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id OAA07649 for security-outgoing; Tue, 24 Dec 1996 14:36:20 -0800 (PST) Received: from bitbucket.edmweb.com (bitbucket.edmweb.com [204.244.190.9]) by freefall.freebsd.org (8.8.4/8.8.4) with SMTP id OAA07644 for ; Tue, 24 Dec 1996 14:36:17 -0800 (PST) Received: from localhost (steve@localhost) by bitbucket.edmweb.com (8.6.12/8.6.12) with SMTP id OAA00704; Tue, 24 Dec 1996 14:36:04 -0800 X-Authentication-Warning: bitbucket.edmweb.com: steve owned process doing -bs Date: Tue, 24 Dec 1996 14:36:01 -0800 (PST) From: Steve Reid To: Igor Roshchin cc: freebsd-security@freebsd.org Subject: Re: Holes in default cron jobs (fwd) In-Reply-To: <199612242156.PAA23404@alecto.physics.uiuc.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > Excuse me, I was wondering (it might be stupid, 'cause I am probably > about something), why don't do a simple check for existence of the file, > something like > > if ( -f $TMP ) then > rm -rf $TMP > endif Possible race condition. What if the attacker replaces the $TMP file with a symlink, _after_ you perform that test, but _before_ you use create the actual file? while true; do ln -s /etc/passwd /tmp/secure_12345; done Also, an attacker could set up a whole bunch of processes to take CPU time away from the cron job, giving him lots of time between your test and the creation of the actual file. Who would notice such a thing at 2am? With all of the attention given to buffer overflows recently, it's easy to forget about race conditions and improper /tmp usage.